Takedown client-server botnets the ISP-way

Botnet is currently a existing threat to Internet users around the world. Users can lose money, personal information if infected. Bonet takedown has been a pressing need of many organizations in the world: the FBI, the national governments, the Internet service provider (ISP). For ISPs, this is actually a legitimate need to protect their consumers, their networks and meet the requirements of law enforcement agencies.

Basically, there are two types of botnet network models: Client-Server and Peer-to-Peer. In particular, ISPs can play a significant role in client-server botnet shutdown based on their inherent advantages.

Normally, in order to demolish a client-server botnet network, organizations must cooperate with service providers (domain name registrars, hosting/server providers) to acquire the malicious domain or server, then monitor the connections to shutdown. However, this method is quite passive when having to wait for the coordination of service providers. In particular, this method is not feasible for the bullet-proof server.

However, ISPs have a lot of advantages to takedown client-server botnets: own the user’s Internet infrastructure, capable of monitoring/processing/routing traffic on their network, own the technology allow deep analysis of packets.

In this presentation, we will discuss methods which an ISP can use to takedown a client-server botnet on its network based on the ability to redirect malicious connections from C&C server to ISP analysis server using ISP DNS infrastructure, IP routing, that can easily track and shutdown botnet.

Print Friendly
Quảng Trần
Reverser, CTF player, malware analyst, security researcher and also programmer. Member of @PiggyBirdCTF team.
Quảng Trần

Latest posts by Quảng Trần (see all)